WordPress.org

Make WordPress Core

Changeset 5402


Ignore:
Timestamp:
05/07/07 02:16:03 (8 years ago)
Author:
ryan
Message:

attribute_escape for widgets. see #4169

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/2.2/wp-includes/widgets.php

    r5398 r5402  
    339339        update_option('widget_pages', $options); 
    340340    } 
    341     $title = htmlspecialchars($options['title'], ENT_QUOTES); 
     341    $title = attribute_escape($options['title']); 
    342342?> 
    343343            <p><label for="pages-title"><?php _e('Title:'); ?> <input style="width: 250px;" id="pages-title" name="pages-title" type="text" value="<?php echo $title; ?>" /></label></p> 
     
    368368            <div> 
    369369            <input type="text" name="s" id="s" size="15" /><br /> 
    370             <input type="submit" value="<?php _e('Search'); ?>" /> 
     370            <input type="submit" value="<?php echo attribute_escape(__('Search')); ?>" /> 
    371371            </div> 
    372372            </form> 
     
    387387    if($d) {  
    388388?> 
    389         <select name="archive-dropdown" onChange='document.location.href=this.options[this.selectedIndex].value;'> <option value=""><?php _e('Select Month'); ?></option> <?php wp_get_archives('type=monthly&format=option'); ?> </select> 
     389        <select name="archive-dropdown" onChange='document.location.href=this.options[this.selectedIndex].value;'> <option value=""><?php echo attribute_escape(__('Select Month')); ?></option> <?php wp_get_archives('type=monthly&format=option'); ?> </select> 
    390390<?php    
    391391    } else {  
     
    413413    $count = $options['count'] ? 'checked="checked"' : ''; 
    414414    $dropdown = $options['dropdown'] ? 'checked="checked"' : ''; 
    415     $title = htmlspecialchars($options['title'], ENT_QUOTES); 
     415    $title = attribute_escape($options['title']); 
    416416?> 
    417417            <p><label for="archives-title"><?php _e('Title:'); ?> <input style="width: 250px;" id="archives-title" name="archives-title" type="text" value="<?php echo $title; ?>" /></label></p> 
     
    432432            <?php wp_register(); ?> 
    433433            <li><?php wp_loginout(); ?></li> 
    434             <li><a href="<?php bloginfo('rss2_url'); ?>" title="<?php _e('Syndicate this site using RSS 2.0'); ?>"><?php _e('Entries <abbr title="Really Simple Syndication">RSS</abbr>'); ?></a></li> 
    435             <li><a href="<?php bloginfo('comments_rss2_url'); ?>" title="<?php _e('The latest comments to all posts in RSS'); ?>"><?php _e('Comments <abbr title="Really Simple Syndication">RSS</abbr>'); ?></a></li> 
    436             <li><a href="http://wordpress.org/" title="<?php _e('Powered by WordPress, state-of-the-art semantic personal publishing platform.'); ?>">WordPress.org</a></li> 
     434            <li><a href="<?php bloginfo('rss2_url'); ?>" title="<?php echo attribute_escape(__('Syndicate this site using RSS 2.0')); ?>"><?php _e('Entries <abbr title="Really Simple Syndication">RSS</abbr>'); ?></a></li> 
     435            <li><a href="<?php bloginfo('comments_rss2_url'); ?>" title="<?php echo attribute_escape(__('The latest comments to all posts in RSS')); ?>"><?php _e('Comments <abbr title="Really Simple Syndication">RSS</abbr>'); ?></a></li> 
     436            <li><a href="http://wordpress.org/" title="<?php echo attribute_escape(__('Powered by WordPress, state-of-the-art semantic personal publishing platform.')); ?>">WordPress.org</a></li> 
    437437            <?php wp_meta(); ?> 
    438438            </ul> 
     
    449449        update_option('widget_meta', $options); 
    450450    } 
    451     $title = htmlspecialchars($options['title'], ENT_QUOTES); 
     451    $title = attribute_escape($options['title']); 
    452452?> 
    453453            <p><label for="meta-title"><?php _e('Title:'); ?> <input style="width: 250px;" id="meta-title" name="meta-title" type="text" value="<?php echo $title; ?>" /></label></p> 
     
    477477        update_option('widget_calendar', $options); 
    478478    } 
    479     $title = htmlspecialchars($options['title'], ENT_QUOTES); 
     479    $title = attribute_escape($options['title']); 
    480480?> 
    481481            <p><label for="calendar-title"><?php _e('Title:'); ?> <input style="width: 250px;" id="calendar-title" name="calendar-title" type="text" value="<?php echo $title; ?>" /></label></p> 
     
    513513        update_option('widget_text', $options); 
    514514    } 
    515     $title = htmlspecialchars($options[$number]['title'], ENT_QUOTES); 
    516     $text = htmlspecialchars($options[$number]['text'], ENT_QUOTES); 
     515    $title = attribute_escape($options[$number]['title']); 
     516    $text = attribute_escape($options[$number]['text']); 
    517517?> 
    518518            <input style="width: 450px;" id="text-title-<?php echo "$number"; ?>" name="text-title-<?php echo "$number"; ?>" type="text" value="<?php echo $title; ?>" /> 
     
    547547<?php for ( $i = 1; $i < 10; ++$i ) echo "<option value='$i' ".($options['number']==$i ? "selected='selected'" : '').">$i</option>"; ?> 
    548548            </select> 
    549             <span class="submit"><input type="submit" name="text-number-submit" id="text-number-submit" value="<?php _e('Save'); ?>" /></span></p> 
     549            <span class="submit"><input type="submit" name="text-number-submit" id="text-number-submit" value="<?php echo attribute_escape(__('Save')); ?>" /></span></p> 
    550550        </form> 
    551551    </div> 
     
    624624    $hierarchical = $options['hierarchical'] ? 'checked="checked"' : ''; 
    625625    $dropdown = $options['dropdown'] ? 'checked="checked"' : ''; 
    626     $title = wp_specialchars($options['title']); 
     626    $title = attribute_escape($options['title']); 
    627627?> 
    628628            <p><label for="categories-title"><?php _e('Title:'); ?> <input style="width: 250px;" id="categories-title" name="categories-title" type="text" value="<?php echo $title; ?>" /></label></p> 
     
    683683        wp_flush_widget_recent_entries(); 
    684684    } 
    685     $title = htmlspecialchars($options['title'], ENT_QUOTES); 
     685    $title = attribute_escape($options['title']); 
    686686    if ( !$number = (int) $options['number'] ) 
    687687        $number = 5; 
     
    738738        wp_delete_recent_comments_cache(); 
    739739    } 
    740     $title = htmlspecialchars($options['title'], ENT_QUOTES); 
     740    $title = attribute_escape($options['title']); 
    741741    if ( !$number = (int) $options['number'] ) 
    742742        $number = 5; 
     
    779779        return; 
    780780    $rss = fetch_rss($url); 
    781     $link = wp_specialchars(strip_tags($rss->channel['link']), 1); 
     781    $link = clean_url(strip_tags($rss->channel['link'])); 
    782782    while ( strstr($link, 'http') != $link ) 
    783783        $link = substr($link, 1); 
    784     $desc = wp_specialchars(strip_tags(html_entity_decode($rss->channel['description'], ENT_QUOTES)), 1); 
     784    $desc = attribute_escape(strip_tags(html_entity_decode($rss->channel['description'], ENT_QUOTES))); 
    785785    $title = $options[$number]['title']; 
    786786    if ( empty($title) ) 
     
    790790    if ( empty($title) ) 
    791791        $title = __('Unknown Feed'); 
    792     $url = wp_specialchars(strip_tags($url), 1); 
     792    $url = clean_url(strip_tags($url)); 
    793793    if ( file_exists(dirname(__FILE__) . '/rss.png') ) 
    794794        $icon = str_replace(ABSPATH, get_option('siteurl').'/', dirname(__FILE__)) . '/rss.png'; 
    795795    else 
    796796        $icon = get_option('siteurl').'/wp-includes/images/rss.png'; 
    797     $title = "<a class='rsswidget' href='$url' title='Syndicate this content'><img style='background:orange;color:white;border:none;' width='14' height='14' src='$icon' alt='RSS' /></a> <a class='rsswidget' href='$link' title='$desc'>$title</a>"; 
     797    $title = "<a class='rsswidget' href='$url' title='" . attribute_escape(__('Syndicate this content')) ."'><img style='background:orange;color:white;border:none;' width='14' height='14' src='$icon' alt='RSS' /></a> <a class='rsswidget' href='$link' title='$desc'>$title</a>"; 
    798798?> 
    799799        <?php echo $before_widget; ?> 
     
    806806            while ( strstr($item['link'], 'http') != $item['link'] ) 
    807807                $item['link'] = substr($item['link'], 1); 
    808             $link = wp_specialchars(strip_tags($item['link']), 1); 
    809             $title = wp_specialchars(strip_tags($item['title']), 1); 
     808            $link = clean_url(strip_tags($item['link'])); 
     809            $title = attribute_escape(strip_tags($item['title'])); 
    810810            if ( empty($title) ) 
    811811                $title = __('Untitled'); 
     
    815815            } else { 
    816816                if ( isset( $item['description'] ) && is_string( $item['description'] ) ) 
    817                     $desc = str_replace(array("\n", "\r"), ' ', wp_specialchars(strip_tags(html_entity_decode($item['description'], ENT_QUOTES)), 1)); 
     817                    $desc = str_replace(array("\n", "\r"), ' ', attribute_escape(strip_tags(html_entity_decode($item['description'], ENT_QUOTES)))); 
    818818                $summary = ''; 
    819819            } 
     
    833833    if ( $_POST["rss-submit-$number"] ) { 
    834834        $newoptions[$number]['items'] = (int) $_POST["rss-items-$number"]; 
    835         $url = strip_tags(stripslashes($_POST["rss-url-$number"])); 
     835        $url = clean_url(strip_tags(stripslashes($_POST["rss-url-$number"]))); 
    836836        $newoptions[$number]['title'] = trim(strip_tags(stripslashes($_POST["rss-title-$number"]))); 
    837837        if ( $url !== $options[$number]['url'] ) { 
     
    852852        update_option('widget_rss', $options); 
    853853    } 
    854     $url = htmlspecialchars($options[$number]['url'], ENT_QUOTES); 
     854    $url = attribute_escape($options[$number]['url']); 
    855855    $items = (int) $options[$number]['items']; 
    856     $title = htmlspecialchars($options[$number]['title'], ENT_QUOTES); 
     856    $title = attribute_escape($options[$number]['title']); 
    857857    if ( empty($items) || $items < 1 ) $items = 10; 
    858858?> 
     
    891891<?php for ( $i = 1; $i < 10; ++$i ) echo "<option value='$i' ".($options['number']==$i ? "selected='selected'" : '').">$i</option>"; ?> 
    892892            </select> 
    893             <span class="submit"><input type="submit" name="rss-number-submit" id="rss-number-submit" value="<?php _e('Save'); ?>" /></span></p> 
     893            <span class="submit"><input type="submit" name="rss-number-submit" id="rss-number-submit" value="<?php echo attribute_escape(__('Save')); ?>" /></span></p> 
    894894        </form> 
    895895    </div> 
Note: See TracChangeset for help on using the changeset viewer.